Security Issues For Many Alcatel DSL Modems

gle was one of many readers to write about an interesting security problem: "If you own an Alcatel DSL modem, you will be interrested to know that virtually anybody on the planet is probably able to reconfigure you modem, steal your passwords, sniff your data, install a custom firmware into it, or just break it for fun. Lack of proper authentification, and various back-doors have been pointed out amongst various design flaws. The man who discovered this is Tsutomu Shimomura, who got famous at getting Kevin Mitnick arrested. Alcatel claims 36% share of the DSL market, with more than 1.7 million units installed ..." So if you have DSL, you might want to check the label on the side of the modem about now.

Re:Pure Bullshit

I'm Renaud Deraison (no slashdot account, sorry) I did not discover anything. I just pointed out that Alcatel modems are passwordless by default. Shimomura extends that by saying that even if you set a password, it can be bypassed. But you have to be able to directly connect to the modem to exploit that, that is, you need to either be the ISP of your target, or have control on a host on the target's lan.

Some things

If you own an Alcatel DSL modem, you will be interrested to know that virtually anybody on the planet is probably able to reconfigure you modem, steal your passwords, sniff your data, install a custom firmware into it, or just break it for fun.

This is mostly bullshit! First you'd have to gain access to the computer or network the Alcatel modem is on. And for that you'd have to gain root. The only outside attacks possible are out of your hands anyway (someone will need to tap your phoneline or break into your telco provider).

However, the default security setting of the Alcatel modem IS pathetic in the sense that it has an open frontdoor!

Some things you need to take care of:

• Change the default IP address. Not very helpful, but it's better than the 10.0.0.138 default everyone knows.
• Set a password!
• Block all non-essential traffic to the modem. That means blocking FTP, TELNET, TFTP and HTTP when not configuring the modem. Configuration is only needed once. Not blocking this traffic means anyone can still gain access through the "EXPERT" login.
• The above point means you cannot safely attach your Alcatel modem to a firewall-impaired HUB.
• Bug Alcatel / your DSL provider about this!

The most disturbing flaw is the fact that IF someone gains access to your modem they can render it unusable, requiring hardware replacement :(

-adnans (blessed/cursed with one of these)

Worst security model for a long time?

All I can say is 'Ouch!'.
I'm damn glad I've got a cable modem, which doesn't seem to be doing all this crazy stuff.
I find it rather perturbing that anybody in their right mind these days could leave an unauthenticated TFTP server running, with permissions to overwrite a password.
Even if it is 'supposed' to be run from the LAN side of the device.
Backdooring is also very very evil. All it takes is for one black hat to acquire the cryptovariables and algorithm, then it's script kiddie heaven!
Alcatel, being one of the major telecoms providers, I'd have thought would be a little more careful about the production and security of their devices. It's not as if it'd break their bank hiring a few good security consultants to go over their device before selling it. Lawsuits that may ensue due to their negligence in correctly allowing security configuration of the device may seriously damage it though.
All this in mind, having a device with this lax security on it is a contravention of most ISPs TOS. I know I'd get thrown off in an instant if I had a machine this insecure on my cable!
Again, it looks like a victory for the beancounters (we can shave a few grand off the development costs by not hiring security consultants, and that'll make this department look nicer on the profit side. Who cares abbout the other departments who have to cope with the flak later).
I think I'l just say I've very disappointed with a company of this standing to have procedures this lax, and leave it at that.

Cheers,

Malk

ZDNET story

Alcatel told zdnet [zdnet.com] the remote update is "a feature that is intended to allow communications service providers to remotely upgrade the software within their customers' modems."

Re:Pure Bullshit

I just used up all my moderator points, or I'd up this comment.

Renaud Deraison is known in french security circles for his nessus scanner, a program similar to nmap. He published his findings at the end of last year, but it wasn't widely trumpeted at the time. Shimomura is a publicity whore who copied Deraison's comments (probably used the fish, the grammar follows the same butchering) and claimed the discovery as his own. A few days ago, there was a press release going around touting Shimomura's discovery, not a CERT advisory, just a press release from the San Diego Super Computer Research Center.

The french paper Le Liberation [liberation.fr] ran a story [liberation.fr] filled with horror but little detail. Some of the claims are ridiculous, such as how someone who cracks the modem has unlimited access to every file on all the computers behind it, and how any machine on the internet can access the modems which sit on unaddressable IP addresses (the 10.x.x.x private IPs from RFC 1918)

Today Le Libe is running a follow up story [liberation.fr] where Alcatel denies the backdoors were placed intentionally, and claims there is a security program installed on the modems to prevent cracking by unauthorised persons.

I have a Speed Touch Home modem, and I've played with these backdoors. In /. speak, they are a number of IP services, the "simple" services (echo, chargen, etc), an HTTP server, an FTP server, a telnet server, and a TFTP server. The modem has a simple internal file system, and if you know the names of the files, you can copy them or overwrite them with TFTP. If you connect with telnet (or FTP), it presents you with the MAC address of the modem, and asks for a password, which is a simple hash of the MAC address. Deraison either intercepted his provider connecting and reverse engineered the hash, or he had access to some engineering docs at an ISP, or played around and figured it out. Either way, an impressive hack, in the good sense of the word.

Since the modem uses "private" IP addresses, and access is limited to the local LAN or from the DSLAM, he didn't consider this to be a big problem. The modems typically sit on the DSLAMs private address range, and only connect the users computer to the BAS using PPoE or PPPoA, and can't really generate traffic to the internet. To gain access to the modems, you would either have to crack the DSLAM, crack the users computer, be on the same DSLAM (and thus same subnet) as the target, or intercept the copper wires and play DSLAM. Of these scenari, only cracking a computer on the LAN behind the modem would be possible from the internet at large, and if you can do that, why bother with a stupid little DSL modem?

I agree with Betcour (and a large crowd on fr.comp.securite) on this, Shimomura is tooting his own horn because his bank account is empty after Cybertraque flopped at the cinema. Did Takedown ever open in the U.S.? If it didn't, count your blessings, it was bad, not Ed Wood bad, just unredeemably bad.

the AC

Proper spelling on story lead

Lack of proper authentification...

That's authentimacation , thank you very much.

Homer

Pure Bullshit

According to the Webzine transfert.net, this is just a PR stunt from Shimomura. The thing was discovered in november 2000 by Renaud Deraison, who makes the Nessus security checking program. This is a very minor problem, as only someone able to spoof IP 10.0.0.138 can try to use the exploit. Deraison updated his Nessus program to check for the flaw but didn't make a securitu alert because he didn't think it was worth it.

Now Shimomura, 4 months later, decided he could make some quick bucks with the idea and told about it to a few people, then to the press and CERT. A normal security alert goes to the manufacturer first (to give him a chance to make a patch) and then to the CERT. Obviously Shimomura is a lamer trying to claim his someone else work and make some fame out of a minor event and the medias ignorance.

I'm safe...

Thanks to NorthPoint going down, my DSL modem is 100% secure...

...it's 100% useless, but totally secure.

Two weeks without Internet access and still surviving.

-_underSCORE

Tsutomu Shimomura's ego

My god, even the SDSC advisory makes it a point to mention that Tsutomu Shimomura is the guy that nailed Kevin Mitnick. I mean, ok dude you're l33t, but enough already!! I actually tried reading Takedown, but I gave up after two chapters of Shimomura's ego-stroking.

At least the CERT Advisory managed to avoid the Mitnick angle....

--

Don't rely on Slashdot for security information

Better to sign up to something like CERT [cert.org] advisories than rely on random postings to Slashdot.

Really.

This was announced on their list about 14 hours ago.

French link

According to this article [transfert.net] (in French: use the fish [altavista.com]), this is a bit over-hyped.
--

Not me! Im not affected!

What suprises me from all theese results is the "Not me!" "Im not affected" "Those bastards!"

I think what people dont realize is this affects everyone. some kid who looses his irc channel #NetPimps.are.us on EFnet wants it back, but an ircop refuses to help, because he's net sexing his girlfriend. so this 9 yr old on ten gallons of jolt fires up nmap with os fingerprinting, and creates a script to test to see if he can comprise the router, set its own password, and fires up yet another script, to have all theese people with poarly secured routers start dossing the ircop, the ircops efnet server, and the other 9 yr olds who took his channel.

But oh no! "Its not me" isp uses the same backbone as theese routers, and gee, how bad would 5,000 dsl modems running ping -f -s 9999 slow down a network?

suddenly, your all affected by this poar security

i think people need to stop shruging things off like this and work together, if you want to flood something, whats better? 1 user or 100 users?

if you want something fixed, whats better? 1 user complaining? or 100 users complaining?

exploiting MLK

Alcatel is the company that recently exploited MLK to pitch their goods. It looks like Instant Karma has caught up with them. Read some more about the tasteless ads they produced: http://slate.msn.com/moneybox/entries/01-04-02_103 560.asp